On Wed, Oct 9, 2024 at 11:36 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Tue, Oct 8, 2024 at 12:57 PM Roberto Sassu > <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > > > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > Move out the mutex in the ima_iint_cache structure to a new structure > > called ima_iint_cache_lock, so that a lock can be taken regardless of > > whether or not inode integrity metadata are stored in the inode. > > > > Introduce ima_inode_security() to simplify accessing the new structure in > > the inode security blob. > > > > Move the mutex initialization and annotation in the new function > > ima_inode_alloc_security() and introduce ima_iint_lock() and > > ima_iint_unlock() to respectively lock and unlock the mutex. > > > > Finally, expand the critical region in process_measurement() guarded by > > iint->mutex up to where the inode was locked, use only one iint lock in > > __ima_inode_hash(), since the mutex is now in the inode security blob, and > > replace the inode_lock()/inode_unlock() calls in ima_check_last_writer(). > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > --- > > security/integrity/ima/ima.h | 26 ++++++++--- > > security/integrity/ima/ima_api.c | 4 +- > > security/integrity/ima/ima_iint.c | 77 ++++++++++++++++++++++++++----- > > security/integrity/ima/ima_main.c | 39 +++++++--------- > > 4 files changed, 104 insertions(+), 42 deletions(-) > > I'm not an IMA expert, but it looks reasonable to me, although > shouldn't this carry a stable CC in the patch metadata? > > Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> Sorry, one more thing ... did you verify this patchset resolves the syzbot problem? I saw at least one reproducer. -- paul-moore.com